RegTech Intelligence

UK FCA says it has tripled financial crime supervisory work; onboarding and due diligence are weak spots, say specialists

By Rachel Wolcott, Regulatory Intelligence

The Financial Conduct Authority (FCA) opened “around 600” supervisory cases looking at financial crime between April 2022 and March 2023. That represents a threefold increase in its overall proactive work from the previous year and covers roughly 1% of the authorised population (21,500) subject to Money Laundering Regulations (MLR 2017), a FCA spokesperson said.

“It is vital firms maintain momentum improving their financial crime controls. We work closely with law enforcement and other partners to track the money laundering risks in the market, identify higher risk firms, and take action. Where we are concerned about safeguards at a particular firm, we will take steps to tackle them, including placing restrictions on the business or carrying out an enforcement investigation,” the spokesperson said.

This supervisory push is part of the FCA’s plan to get on top of financial crime risks without necessarily launching an enforcement investigation.

“What the FCA has been flagging, generally, is that they are going to be more interventionist at the supervisory level, rather than referring things into enforcement for a formal investigation which may not lead to a penalty. It’s almost a pre-investigation that would be conducted by those supervisory teams,” said Michael Ruck, a partner at K&L Gates in London.

Many firms struggle with all aspects of financial crime compliance, however, and continue to work with the FCA’s work to improve their control environment to remedy weaknesses highlighted in its 2021 “Dear CEO” letter. Client onboarding, enhanced due diligence, and therefore continuing client monitoring remain weak spots in financial crime systems and controls, experts told Regulatory Intelligence.

Onboarding weaknesses

Banks, particularly challenger banks, assume their customer bases to be predominately UK-based and therefore low risk. Post- pandemic more banks are comfortable with remote onboarding and tune their onboarding processes accordingly. That means most customers are flagged as standard risk and therefore are subject to fewer due diligence and continuing monitoring checks.

“Retail banks in particular in fintechs try to game the system by claiming that they are UK-centric institutions. Most of the industry now works on a risk algorithm for customer risk assessment. They’re not all the same, but if you if that risk algorithm only asks you to plug in certain attributes, because it’s been designed to drive the outcome that you want for your sector, then you’re going to end up with more low-risk customers,” said an independent financial crime consultant, on condition of anonymity.

Banks need to improve their account opening fraud detection capabilities, because in the UK 50% of mule accounts are newly opened accounts that passed know-your-customer (KYC) checks. In the United States, some 90% of mule accounts are newly opened and KYC vetted, said Uri Rivner, chief executive at Refine Intelligence in Tel Aviv.

“Run a mule detection program. The best programs use behavioural and device analytics to spot mule patterns. Expect to catch about 30% of mule activity this way,” Rivner said.

Business banking

Business banking customers, particularly smaller businesses, are also onboarded digitally or over the phone as banks close branches and reduce the number of business banking relationship managers. This change means banks do not know their business banking clients thoroughly and do fewer in-person checks as part of their continuing monitoring.

“Ten years ago, remote onboarding or non-face-to-face would have been classified as high risk, now it’s classified as different. You need to take different steps to mitigate those risks. It’s not higher or lower risk, it is just different,” said James Nurse, head of consulting at FINTRAIL in London.

Changes to the MLRs introduced in 2020 add new high-risk factors when assessing the need for enhanced due diligence, additional information, and monitoring. One of these factors is “non-face to face business relationships or transactions without certain safeguards, for example, as set out in regulation 28 (19) concerning electronic identification processes”.

The FCA’s 2022 Santander UK final notice sets out two instances where the bank had to cease or restricting business banking clients to mitigate anti-money laundering risks. In 2019, Santander voluntarily ceased onboarding business banking customers through online and telephone channels. It restricted onboarding high-risk business customers in 2021, again to mitigate AML risks (final notice, 6.21).

“Firms don’t always know their clients as well as they maybe should at onboarding and that can make it hard to translate into effective monitoring,” Nurse said.

Account providers are under clear requirements to implement effective KYC and due diligence procedures, the FCA said.

“These procedures involve conducting thorough checks on customers to verify their identity/source of funds/source of wealth, assess their risk profile, and ensure compliance with anti-money laundering regulations. Once onboarded firms are required to keep that information up to date as well as undertaking ongoing monitoring including scrutiny of transactions,” it said.

Criminals know the system

Criminals and others seeking to access banking services dishonestly can evade enhanced due diligence checks simply by knowing how to complete applications to appear to be standard risk customers. Bad actors can abuse the banking system easily, said financial crime experts with extensive remediation and section 166 skilled person review experience.

In the UK, one method bad actors use to pass KYC is registering businesses at Companies House with Standard Industrial Classification (SIC) codes aligned with low-risk businesses. Bad actors know banks look at SIC codes to assess risks.

Last year, a crypto ATM company Gidiplus attempted to gain FCA registration for MLRs, used SIC codes indicating it was a catering or events business to open bank accounts. Gidiplus’s owner was investigated by police in 2018 for possible money laundering and admitted misleading banks over the nature of his business.

SIC codes were raised in the 2022 Santander UK final notice. It had an internal SIC code system that did not match the one used by Companies House, which caused confusion. Separately its checks did not pick up on customer A claiming to be a translation services business when its Companies House SIC code indicated it was a financial service provider.

“While the SIC codes might be used by account providers as a way to help establish the nature of applicant businesses, they are not sufficient on their own to confirm the full nature of the business being carried out,” the FCA said.

Enhanced due diligence

Several recent FCA AML enforcement decisions, Guaranty Trust Bank (UK) Ltd, Santander UK, found failures to carry out customer due diligence (CDD) or enhanced due diligence (EDD). The FCA’s 2021 “Dear CEO” letter said firms, among other things, “lacked an appreciation of the risks involved in certain functions which resulted in inadequate CDD being conducted”. It found firms failed to undertake and document risk assessments and to correctly identify clients as high risk.

That is partly because some UK firms assume their customers to be UK-based and therefore low risk. They fail to look deeply enough to discover that a UK business could have overseas ownership that would require EDD checks.

“You could have a low- or a medium-risk where you identify that somewhere in the chain who is a [politically exposed person] that is in a non-EU jurisdiction or a non-equivalent jurisdiction, and you would therefore need to apply EDD to that element of that case. And

it’s something that gets missed by a lot of firms because they have this very linear viewpoint that ‘we’re low risk. We only do UK centric business’,” the anonymous financial crime consultant said.

The FCA decisions also highlighted that firms collect insufficient information to determine and understand the purpose and the intended nature of the business relationships they are establishing. Firms did not establish the anticipated nature and level of activity to be undertaken, source of funds or the trading history of the clients to provide a sufficient basis for transaction monitoring, the FCA said.

“It is true that some banks do not do enough in relation to EDD as evidenced by recent fines. Some undertake CDD but describe it as EDD. Some will verify source of wealth as part of their CDD, and that’s brilliant, but what do they then do for EDD in addition to that?” said Daren Allen, a partner at Shoosmiths in London.

Proactive FCA assessments

Some 60 of these 600 new FCA supervisory cases stem from proactive assessments, one of the FCA’s supervisory tools, and about 225 of the 600 cases feature direct involvement of financial crime specialist supervision. The FCA uses a combination of data analytical, firms’ principle 11 disclosures, whistleblower disclosures and reports from law enforcement or other parties to drive its financial crime supervisory work, the spokesperson said.

The FCA’s financial crime team is relatively small, counting only the equivalent of 52 employees dedicated to AML/CTF supervision as of August 2021 (FoI8528). The FCA commissioned only nine skilled persons reviews (s 166) over the same period, however, according to its own data.

The FCA had 53 financial crime enforcement investigations open as of year-end 2021/22, the latest available statistics. That includes two cases opened into money laundering controls on voluntary requirements and four cases such cases opened on an own initiative requirement basis. There were three open criminal investigations, two dual track and 38 regulatory investigations.

This article was originally produced by Thomson Reuters Accelus Regulatory Intelligence  22 June 2023

To promote global dialogue on how to deliver regulatory change JWG post hundreds of focused articles a year to thousands of subscribers. Get involved and join the mail list.

By hitting the subscribe button you agree to our Privacy Policy